What was extremely interesting about this campaign was the large number of domains it registered to be used in this abuse. Fortunately, these were all "GoDaddy.com" domains and were quickly brought under control to prevent the spread of the malware.

If you've read some of our Technical Reports then you know that UAB has a unique capability to build "Spam Clusters" of messages related on many different factors. One of our fairly standard checks is to ask "what other spam is coming from the machines that sent us this spam?"

In this case, the answer was NOTHING.

It was as if every single machine that sent this spam message had been uniquely compromised for the sole purpose of sending us this email. Out of 9,610 sending IP addresses, only TWO of them had been seen previously sending spam to the UAB Spam Data Mine. Two Viagra ad from 196.22.14.4 on February 18th and 19th and a set of seven Viagra ads from 112.135.85.114 on February 8th and 9th. The other 9,608 sending IP addresses had not sent us any spam, at least in the past month. That's so unusual that it is actually impossible. There are so many bot-infected computers that randomly selecting any 9,000 internet-connected computers, there is NO CHANCE that none of them sent me spam.

It turns out the spam messages had "dubious header records" inserted.

To explore this deeper, I looked at the headers of 92 email messages I had personally received in this campaign (as opposed to the UAB Spam Data Mine receiving them -- the smaller data set is easier to manipulate for manual or quick scripting review.)

It turned out that the 92 emails, which at first seemed to come from 92 different IPs, actually came from 14 machines, with the most popular ones being:

All well known spammer IPs (click links to see their "Project Honeypot" reputations).

While digging deeper, it seems that each of the spam messages was sent while authenticated into gmail. As a quick spot check, I examined the 92 email messages that I received in my personal accounts. Out of the 92, 92 of them had an "envelope-from" and a matching "Return-Path:" statement showing a gmail account that had been used to send the spam message: